The classification of data centres as Critical National Infrastructure underscores their importance in powering modern life. However, to fully protect them, Jon Mort, CTO, The Adaptavist Group, says cybersecurity strategies should anticipate future threats, align with evolving technologies and reinforce the security of the digital services that these centres support.
The UK government’s recent designation of data centres as Critical National Infrastructure has sparked important conversations about the resilience of our digital backbone. Now recognised alongside emergency services, healthcare and other essential utilities, this classification underscores the vital role data centres play in society. While it’s great to see the government catch up with our tech-driven world – where some jokingly refer to Wi-Fi as the new base of Maslow’s pyramid of needs – it also exposes a significant oversight.
While securing the physical infrastructure of data centres – such as entry points and hardware – is crucial, it cannot solely defend against the broader range of modern digital threats. Today’s interconnected systems, including complex software, AI-driven applications and cloud infrastructure, require preventive cybersecurity strategies to counter cyberattacks that can bypass physical defences.
Moreover, a comprehensive preventative cybersecurity strategy can enhance data centre resilience by monitoring for equipment failures that lead to significant outages. This holistic approach ensures that data centres can bolster their overall resilience against cyberthreats while maintaining operational and powering our modern world.
Why we need to rethink defence
As the UK government pushes for economic growth and supports the expansion of data centres, it’s crucial that regulations not only focus on physical security but also ensure the resilience of the IT services being run on these centres. This means creating rules that address the growing complexity of digital infrastructure and the increased risk of cyberattacks.
With the rise of cloud-based infrastructure, the UK’s businesses and national infrastructure now face more potential vulnerabilities. Attack surfaces have expanded, meaning there are more ways for cybercriminals to exploit weaknesses in these systems. In light of this, governments and industries must collaborate to develop robust practices that protect not only the physical assets powering our digital world but also the digital services that underpin nearly every aspect of modern life.
Just as locking the front door won’t stop a fire from spreading inside a building, physical security around data centres cannot protect the digital world. When cyberthreats emerge, they often do so from unexpected angles, targeting vulnerabilities in software, networks and human behaviours. Cybercriminals and state-sponsored bad actors increasingly exploit these weaknesses to infiltrate systems, evade physical defences and wreak havoc on vital services. A shift in focus from reactive to preventive cybersecurity is necessary.
Embracing a preventive cybersecurity approach
Safeguarding our infrastructure means efforts must also focus on the software and systems that operate within data centres and the practices used to develop and maintain them. By embedding security at every stage – from design and development to deployment and then operation – we can anticipate and mitigate risks before they escalate into breaches. This ensures a more resilient and secure digital ecosystem. This involves:
Security certification and operational documentation: Achieving and maintaining recognised security certifications is a cornerstone of robust data centre security. These certifications encourage discipline and adherence to industry-standard best practices, elevating an organisation’s overall security position. The certification process demands rigorous documentation of security policies, procedures and incident response plans. This comprehensive operational documentation serves multiple critical functions: it ensures all team members have a common understanding of security protocols, reduces human error risks and provides a clear audit trail for post-incident analysis.
In the event of a security breach, well-maintained and automated documentation can significantly expedite the incident response process, minimising potential damage and downtime. By prioritising both certification and automating documentation updates to prevent configuration drift, organisations ensure that their records stay accurate and up to date. This approach not only helps meet industry standards but also fosters a culture of accountability and continuous improvement in security practices, ultimately enhancing resilience against evolving cyberthreats.
Continuous monitoring and threat intelligence: Constantly monitoring the systems within data centres allows organisations to detect anomalies and potential threats in real-time before a security breach occurs. By utilising threat intelligence, security teams can stay ahead of emerging cyberthreats and adopt appropriate countermeasures. This can be strengthened by investing in behavioural analytics, which identifies anomalies based on user and system behaviour, ensuring that security measures remain proactive. When potential issues are monitored and thus deftly detected, alerting and escalation procedures come into play quicker. Automated alerts can activate communication protocols, enabling quicker collaboration between departments like security, network and system administration. Thus, teams can work more seamlessly together.
Vulnerability assessments: Regularly assessing systems for vulnerabilities helps organisations identify weaknesses that could be exploited by attackers. This means reviewing both software and hardware configurations, as well as third-party dependencies. For example, the CrowdStrike incident, where a software update led to a widespread outage, highlights the need for rigorous vulnerability assessments in software development and deployment practices.
Employee training and awareness: As human error remains a significant factor in cyber incidents, educating employees about cybersecurity best practices is vital. Training staff to recognise phishing attempts and other common attack vectors can significantly enhance a data centre’s overall security posture, particularly since human error is a leading cause of data breaches. For instance, the CrowdStrike crisis was ultimately traced back to a mistake in the development process. Implementing comprehensive training strategies can help prevent such risks in the future.
Additionally, organisations should strive to cultivate a ‘see it, say it, sort it’ culture that empowers employees and emphasises learning rather than blame. This approach encourages staff at all levels to voice concerns and take initiative in addressing issues. In some organisations, lower-level staff may hesitate to raise concerns due to strict hierarchies, shyness, or fear of consequences. By nurturing an environment where employees feel comfortable speaking up, regardless of their position, organisations can improve safety, efficiency and problem-solving.
Collaboration and regulatory guidance: Collaboration between governments and industries is essential for developing robust practices that safeguard both physical assets and the digital services supported by data centres. Regulatory guidance should focus on the operational resilience of IT systems to ensure they can withstand cyberthreats.
Securing the future for data centres
As the cybersecurity landscape continues to evolve, the complexity of the threats facing our digital infrastructure demands a more proactive approach. To ensure the long-term resilience of our data centres, we must move beyond simply securing physical assets and focus on safeguarding the interconnected systems that operate within them – software, cloud services and AI-driven applications.
A robust preventive cybersecurity strategy requires continuous monitoring, regular vulnerability assessments and comprehensive employee training to mitigate risks. And collaboration between governments and industry is vital to developing the regulatory frameworks necessary to protect both physical and digital assets.